March 23, 2021: A database containing records of over 300,000 customers of the arts and crafts chain store, Hobby Lobby, was exposed after the company suffered a cloud-bucket misconfiguration. When exfiltration was complete, 200 GB of customer data was stolen from Medibank, impacting 9.7 million customers. This exposure impacted 92% of the total LinkedIn user base of 756 million users. August 17, 2021: An unauthorized third party gained access to the personal and medical data of over 637,000 patients of UNM Health. April 24, 2021: A database containing the personal details of over 5.6 million users of thepopular music instruments online marketplace Reverb was discovered after it was leaked into the Dark Web. However, by October of 2017, Yahoo changed the estimate to 3 billion user accounts. By changing the link customers received confirming online orders, anyone could access information including customers'names, the order's billing address, shipping address, phone number, and email address, plus the number of items and total dollar amount for the order, the delivery date, and a tracking link. Harbour Plaza Hotel Management, a hospitality management company in Hong Kong, suffered a breach of its accommodation reservation databases, impacting approximately 1.2 million customers. The leaked database from the audio chat social network includesuser ID, name, photo URL, username, Twitter handle,Instagram handle, number of followers, number of people followed by the user, and account creation date all of which the company claims is public information. Twitch, an Amazon-owned company, suffered a breach of almost its entire code base. Manage Email Subscriptions. Learn about the latest issues in cyber security and how they affect you. Twitter did not disclose how many users were impacted but indicated that the number of users was significant and that they were exposed for several months. The rising trend in data breaches continues to angle upwards, and as a result, there has never been a more precarious time in history to launch and maintain a successful business. The hackers published a sample containing 1 million records to confirm the legitimacy of the breach. Learn more about the latest issues in cybersecurity. The records exposed included private conversations between adult dating site members as well as the following Personally Identifiable Information: Besides the personal information of website members, this data breach also exposed many scam dating websites with fabricated female profiles.. Antheus Tecnologia, a Brazilian biometrics company specializing in the development of fingerprint identification systems, suffered a breach to its server which could potentially expose 76,000 unique fingerprint records. The stolen records include client names, addresses, invoices, receipts and credit notes. September 30, 2021: An unauthorized third-party actor accessed and obtained personal information associated with 4.6 million Neiman Marcus customers online accounts. The information gathered by the third party includes patient names, addresses, dates of birth, medical record numbers, patient identification numbers, health insurance information and some clinical information related to the healthcare services provided by UNM Health. Instead, their objective was to call a mass disruption to punch Twitch for fostering a toxic community of users. January 20, 2021: A database containing 1.9 million user records belonging to Pixlr, a free online photo-editing application, was leaked by a hacker. In 2020, Kroll data shows an average 125% growth in breach notification cases for industries which experienced five or more breaches in 2019. February 20, 2021:A third-party data breach at cloud solutions company, Accellion, allowed hackers to steal human resources data and pharmacy records belonging to the supermarket giant, Kroger. The email communication advised customers to change passwords and enable multi-factor authentication. Once downloaded, the software granted remote access to the company devices and to the customer relationship management (CRM) software containing account records for 4.9 million customers. Exposed data types include Social Security numbers, drivers license numbers, login information, medical records such as lab results and treatment information, and more. A million-dollar race to detect and respond . Employee login information was first accessed from malware that was installed internally. Before the medium post was deleted, a second hacker read it and decided to also try to convince Slickwraps but with a slightly more impactful approach. Auth0's anomaly detection tool tracks breaches and maintains a database of compromised credentials. Given that FireEyes clientbase includes government entities, it is further speculated that these Red Team Assessment tools made the U.S. Government data breach possible - an attack labeled by cyber security experts as the biggest breach in the nations security history. But the remaining passwords hashed with SHA-512 could not be cracked. The attackers had gained unauthorized access to the Starwood system back in 2014 and remained in the system after Marriott acquired Starwood in 2016. A subset of the data was sent to Have I Been Pwned which had 126 million unique email addresses. Overview and forecasts on trending topics, Industry and market insights and forecasts, Key figures and rankings about companies and products, Consumer and brand insights and preferences in various industries, Detailed information about political and social topics, All key figures about countries and regions, Market forecast and expert KPIs for 600+ segments in 150+ countries, Insights on consumer attitudes and behavior worldwide, Business information on 60m+ public and private companies, Detailed information for 35,000+ online stores and marketplaces. Access your favorite topics in a personalized feed while you're on the go. March 3, 2021: Cybercriminals have targeted four security flaws in Microsoft Exchange Server email software. Experian suffered another breach in 2020, when a threat actor claiming to be Experian's client convinced staff to relinquish customer information for marketing purposes. liability for the information given being complete or correct. Yahoo had become aware of this breach back in 2014, taking a few initial remedial actions but failing to investigate further. The breach contained email addresses and plain text passwords. Breached MeetMindful data dumped on dark web hacker forum - Source: ZDNet. The ransomware attack occurred over Labor Day weekend, and prevented LAUSD officials from accessing important data, including: After consulting with CISA and the FBI, LAUSD released a statement saying they would not be paying the ransom that Vice Society had demanded. Adidas announced in June 2018 that an "unauthorized party" had gained access to customer data on Adidas' US website. November 22, 2021: The restaurant chain, California Pizza Kitchen (CPK), revealed a data breach that exposed the personal details of over 100,000 current and former employees. You may also be interested in our list of biggest data breaches in the finance and healthcare industries. Your submission has been received! During the investigation of the ransomwares attack impact on its network, they discovered some of its current and former employees personal information was accessed by the attackers. These records made up a "data breach database" of previously reported . Prior to the attack, LAUSD was told of potential vulnerabilities in their systems but the school district failed to act to remediate the issues. Just wanted to share my experience to warn other people and see if anyone else has had this experience as well. The breached database was discovered by the UpGuard Cyber Research team. Marriott disclosed a massive breach of data from 500 million customers in late November. Because customer credit card information was leaked, this cyber attack exposes Easyjets breach of the General Data Protection Regulation, which could result in a fine of up to 4% of its global annual turnover. While there is evidence to say that the data is legitimate (many users confirmed their passwords where in the data), it is difficult to verify emphatically.. Parlers Verified Citizens, or users who had verified their identity by uploading their drivers license or other government-issued photo ID, were also exposed. The attack also exposed customer information including names, addresses, email addresses, account numbers, social security numbers (SSNs), account personal identification numbers (PIN), account security questions and answers, date of birth, plan information and the number of lines subscribed to their accounts. In May 2019, Australian business, Canva - an online graphic design tool - suffered a data breach that impacted 137 million users. TJX, the owner of a number of retail brands, had one of its payment systems breached exposing over 45 million credit and debit card numbers. 3 As North Carolinians battled the health and economic effects of the COVID-19 pandemic in 2020, hackers and fraudsters looked to take advantage. The sensitive medical information involved in the cyberattack includes names, birthdates and prescription details. Direct retail net revenue of Wayfair worldwide from 2013 to 2020 (in million U.S. dollars) Wayfair operating expenditure 2012-2021, by type Wayfair operating expenditure 2012-2021, by type. The leaked details of more than 2.28 million users registered included names, email addresses, location details, dating preferences, marital status, birth dates, IP addresses, Bcrypt-hashed account passwords, Facebook user IDs and Facebook authentication tokens. The breach was discovered by Visa and MasterCard in January 2009 when Visa and MasterCard notified Heartland of suspicious transactions. As of August 2020, the biggest fine and settlement resulting from a data breach was 575 million U.S. dollars fined to consumer credit reporting agency . "Marriott reported this incident to law enforcement and continues to support their investigation," the company said at the time. Let's hope SlickWraps finally strengthens their cybersecurity framework after such a tumultuous history. Macy's, Inc. will provide consumer protection services at no cost to those customers. The 1,644 data breaches reported in 2020 marked 434 more reported breaches than 2019, the largest year-to-year increase on record. According to a study by KPMG, 19% ofconsumers said they would completely stop shopping at a retailer after a breach, and 33% said they would take a break from shopping there for an extended period. How UpGuard helps healthcare industry with security best practices. The data compromised included names, home addresses, phone numbers, dates of birth, social security numbers, and drivers license numbers. But threat actors could still exploit the stolen information. June 21, 2021: The U.S. supermarket chain, Wegmans Food Markets, notified an undisclosed number of customers that their data was exposed after two of its cloud-based databases were misconfigured and made publicly accessible online. August 4, 2021: A marketing company, OneMoreLead, has exposed the personal records of126 million individuals through an unsecured database posted online. January 26, 2021: VIPGames.com, a free gaming platform, exposed over 23 million records for more than 66,000 desktop and mobile users due to a cloud misconfiguration. In December 2018, Dubmash suffered a data breach that exposed 162 million unique email addresses, usernames and DBKDF2 password hashes. The security vulnerability that made the breach possible was a server configuration change permitting unauthorized access by third parties. Darden Restaurants announced in August that it had been notified by government officials that it was the victim of a cyberattack. The breach was first reported by Yahoo while in negotiations to sell itself to Verizon, on December 14, 2016. My Wayfair account has been hacked twice once back in December and once this mornings. Data associated with 700 million LinkedIn users was posted for sale in a Dark Web forum on June 2021. By 2014, the move to a single platform had paid off, with Wayfair becoming the largest online-only home furniture retailer in the United States. In June 2012, LinkedIn disclosed a data breach had occurred, but password-reset notifications at the time indicated that only 6.5 million user accounts had been affected. The compromised data, dates as far back as 2017, included the following types of information: Sub sets of data also includes street addresses, drivers licenses, and passport numbers. Get in touch with us. Data breaches continue to expose consumers' personally identifiable information (PII) at an alarming rate, putting close to three hundred million people at risk of identity theft and fraud. data than referenced in the text. IdentityForce is a leading provider of proactive identity, privacy and credit protection for individuals, businesses, and government agencies. Data breaches arent going anywhere and were here to keep you up-to-date on the worst data breaches of the year putting youat risk of identity theft. Mailfire, an email marketing software used by adult dating sites and ecommerce websites, had its database breached exposing personal user records from over 70 websites. The records exposed the contact information of former hotel guests including Justin Bieber, Twitter CEO Jack Dorsey, and government officials. In October 2015, NetEase (located at 163.com) was reported to suffered from a data breach that impacted hundreds of millions of subscribers. Many records also included names, phone numbers, IP addresses, dates of birth and genders.. Free Shipping on most items. Learn about the dangers of typosquatting and what your business can do to protect itself from this malicious threat. How UpGuard helps financial services companies secure customer data. The company paid an estimated $145 million in compensation for fraudulent payments. In April 2019, Evite, a social planning and invitation site identified a data breach from 2013. You can opt out anytime. Wayfair had its first decline in annual revenue in 2021, after eight years of increases. Men's retailer Bonobos had personal information on 7 million shoppers, including 3.5 million partial credit cards, snatched by. The security exposure was discovered by the security company Safety Detectives. The 69 Biggest Data Breaches Ranked by Impact Each of the data breaches reveals the mistakes that lead to the exposure of up to millions of personal data records . This text provides general information. The issue was fixed in November for orders going forward. Online purchases by brand in Canada in 2022, Wayfair's advertising expenditure worldwide from 2012 to 2021 (in billion U.S. dollars), Wayfair's advertising spending in the United States from 2014 to 2021 (in million U.S. dollars), Most valuable Massachusetts brands worldwide 2021, Leading Massachusetts brands worldwide in 2021, by brand value (in billion U.S. dollars), Leading retailers in the United States in 2021, by ad spend (in million U.S. dollars), Ranking: top 10 online stores by SEA budgets in 2020 in the United Kingdom, Top 10 online stores by SEA budgets in 2020 in the UK (in million US-Dollar), Ranking: top 10 online stores by SEA budgets in 2020 in Germany, Top 10 online stores by SEA budgets in 2020 in Germany (in million US-Dollar), Furniture e-commerce revenue in the United States from 2017 to 2025 (in million U.S. dollars), U.S. furniture and homeware e-retail share 2017-2025, Furniture and homeware sales as percentage of total retail e-commerce sales in the United States from 2017 to 2025, Online vs. offline product research by category in the U.S. 2022, Online vs. offline product research by category in the U.S. in 2022, Online vs. offline purchases by category in the U.S. 2022, Online vs. offline purchases by category in the U.S. in 2022, Online purchases by category in the U.S. 2022, Online purchases by category in the U.S. in 2022, Second-hand purchases by category in the U.S. 2022, Second-hand purchases by category in the U.S. in 2022, Household upkeep consumer spending worldwide 2020, by country, Ranking of the total consumer spending on furnishings, household equipment and routine maintenance of the house by country 2020 (in million U.S. dollars), Household upkeep consumer spending per capita worldwide 2020, by country, Ranking of the per capita consumer spending on furnishings, household equipment and routine maintenance of the house by country 2020 (in U.S. dollars). Adult video streaming website CAM4 has had its Elasticsearch server breached exposing over 10 billion records. "The company has already begun notifying regulatory authorities. Monitor your business for data breaches and protect your customers' trust. Thank you! March 2020 added to this uneasiness with the discovery of an unprotected Elasticsearch database managed by a UK-based security company containing over 5 billion records. The compromised data included usernames and PINS for vote-counting machines (VCM). The company said its count of active customers rose 53.7%, to 31.2 million, during the fourth quarter. The breach exposed highly personal information such as people's phone numbers, home, and email addresses, interests, and the number, age, and gender of their children. Wayfair is the amalgamation of all of the stores launched by Shah and Conine in the first decade of the companys existence. In 2022, it was responsible for about 1.5% of all e-commerce sales in the country. The following types of sensitive information were compromised in the cyberattack: In an email to its users, Plex assured its users that all compromised passwords were hashed and secured in accordance with best cybersecurity practices. Whoever is at fault for this breach will likely suffer tough financial regulatory consequences for their security negligence. While Under Armour's store systems and online store weren't affected, the retailer confirmed in March 2018 that data from its MyFitnessPal app was accessed by an "unauthorized party.". Track Your Package. Avid Life Media failed to comply which resulted in wave after wave of categorised data dumps in Pastebin. While viewing a customers account in the CRM, the hacker had access to names, addresses, PINs, cell phone numbers, service plans and billing/usage statements. For the 12th year in a row, healthcare had the highest average data . Though Twitch admitted in its statement that a subset of creator payout data was also accessed, the company assures that credit card number and bank information was not compromised. The second hacker actually breached Slickwrapss abysmal defences and announced their cybersecurity complacency in an email to over 370,000 of its customers. At the time, it said personal information, including names, addresses, and partial credit card numbers may have leaked, though the company says the investigation is ongoing. July 12, 2021:The fashion retailer,Guess, notified an undisclosed number of customers of a data breach following a ransomware attack that resulted in a data breach. 2021 Data Breaches | The Most Serious Breaches of the Year. The data that is potentially at risk includes customer contact information like email addresses and physical addresses, as well as login information like usernames and passwords. customersshopping online at Macys.com and Bloomingdales.com. The full dataset included personally identifiable information (PII) like names, email addresses, place of employment, roles held and location. The retailer confirmed that some customersshopping online at Macys.com and Bloomingdales.com between April 26, 2018 and June 12, 2018 could have had their personal information and credit-card details exposed to a third party. The data accessed consists of 2.3 millions data points which could be reverse engineered to recreate each original fingerprint. When Zoom sign ups were nearing their pandemic peak in April of 2020, hackers breached 500,000 accounts and either sold or freely published them on the dark web. In February 2018, the diet and exercise app MyFitnessPal (owned by Under Armour) suffered a data breach, exposing 144 million unique email addresses, IP addresses and login credentials such as usernames and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). The exposed data includes their name, mailing address, email address and phone numbers. March 23, 2021: A phishing attack targeting the California State Controllers Office (SCO) Unclaimed Property Division led to an employee clicking on a malicious link, logging into a fake website and granting a hacker access to their email account. These data breaches are a real danger for both companies and customers, as they can damage the trust shoppers have in brands. Some of the records accessed include. The leaked records include email addresses, usernames, hashed passwords, users country, whether they signed up for the newsletter and other sensitive information. The company determined cybercriminals infiltrated its systems and gained access to certain files, including employee names and Social Security numbers. In June of 2018, Florida-based marketing and data aggregation firm Exactis exposed a database containing nearly 340 million records on a publicly accessible server. If you intend to buy from other retailers besides Amazon during Prime Day, where are you planning to shop? The database was stolen at the same time as the attack on 123RF, which exposed over 83 million user records. Twitter told its 330 million users to change their passwords but the company said it fixed the bug and that there was no indication of a breach or misuse, but encouraged the password update as a precaution. Key Points. The data exposed included patient names, addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, healthcare provider names and/or medical and clinical treatment information among other sensitive data. February 18, 2021: The California Department of Motor Vehicles (DMV) alerted drivers they suffered a data breach after billing contractor, Automatic Funds Transfer Services, was hit by a ransomware attack. The records of 200 million voters was accessed from Deep Root Analytics, a firm working on behalf of the Republican National Committee (RNC). Revenues increased by 54 percent in 2020 and usage by 46 percent, higher than the two years preceding it. One state has not posted a data breach notice since September 2020. If this cybersecurity best practice isnt followed, a single compromise could result in a victim suffering multiple breaches. Top editors give you the stories you want delivered right to your inbox each weekday. Customers who visited Darden-owned Cheddar's Scratch Kitchen between November 3, 2017 and January 2, 2018 may have had their credit-card information stolen. Wayfairs average order value is one of the few metrics to increase from 2020 to 2021, rising 20% to $269. The breaches occurred over several occasions ranging from July 2005 to January 2007. Canva confirmed the incident, notified users, and prompted them to change passwords and reset OAuth tokens. Wayfair annual orders declined by 16% in 2021 to 51 million. The data was dumped in two waves, initially exposing 500 million users, and then a second dump where the hacker "God User" boasted that they were selling a database of 700 million LinkedIn. A series of credential stuffing attacks was then launched to compromise the remaining accounts. At the time, this was a smart way of doing business. To prevent further breaches, Nintendo posted a tweet asking members to enable 2-step authentication. The cyberattack gives the hackers total remote control over affected systems, allowing for potential data theft and further compromise. If your business isn't concerned about cybersecurity, it's only a matter of time before you're an attack victim. This figure had increased by 37 . While the exact list of records breached is yet to be conformed, its believed that the following guest records were compromised: Marriott stated in its press release that the breach is not believed to have exposed pin numbers, payment card information, national IDs, drivers license numbers or loyalty card passwords. According to one source, the hacker gained access to the Slack account of an HR employee, as well as data such as email addresses, phone numbers, and salaries of Activision employees. The most important key figures provide you with a compact summary of the topic of "Wayfair" and take you straight to the corresponding statistics. But one expert from a personal virtual network service provider said that he's worried about the ultimate fallout from all these breaches. This incident was the impetus to Joe Biden's Cybersecurity Executive Order that now enforces all organizations to strengthen their supply chain security efforts. May 17, 2021: Unauthorized access to the business email accounts at Health Plan of San Joaquin allowed the perpetrator to gain access to patients sensitive personal and medical information contained in messages and attachments that passed through the affected email accounts. In May of 2018, social media giant Twitter notified users of a glitch that stored passwords unmasked in an internal log, making all user passwords accessible to the internal network. After the attack and damages resulting in over $180 million, Home Depot promised to invest in cybersecurity to better protect sensitive financial data. Estimates of the amount of affected customers were not released, but it could number in the millions. MyHeritage, a genealogical service website was compromised, affecting more than 92 million user accounts. Onced breached, the hacker had access to over 320 million records from notifications being pushed out to Mailfire clients. Sociallarks, a rapidly growing Chinese social media agency suffered a monumental data leak in 2021 through its unsecured ElasticSearch database. Adult video streaming website CAM4 has had its Elasticsearch server breached exposing over 10 billion records. Wayfair, like most online retailers, saw a huge boom in revenues during the pandemic. In late 2016, Uber learned that two hackers were able to access the names, email addresses, and mobile phone numbers of 57 million users of the Uber app. The breach contained 112 million unique email addresses and PII such as names, birthdates and passwords stored as MD5 hashes. 14 19 Most cybercriminals post stolen data for sale after a breach, but the unidentified cybercriminal - who was likely using a proxy server - was not interested in monetary gain. The database included names, display names, dates of birth, weight, height, genders and geolocations, the majority of which were from Fitbit devices and Apple Healthkit. UpGuard named in Gartner 2022 Market Guide for IT VRM Solutions, Take a tour of UpGuard to learn more about our features and services. Wayfairs active users have been in steady decline since Q1 2021, but the 27.3 million in Q4 2021 is still higher than it was the start of the pandemic. Feb. 19, 2020. The hackers shared two million of these LinkedIn records for only $2 total to prove the legitimacy of the information in the stolen data. All 533,000,000 Facebook records were just leaked for free.This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked.I have yet to see Facebook acknowledging this absolute negligence of your data. The data exposed may include an undisclosed number of customer names, email addresses, hashed and salted passwords, addresses and phone numbers. Enhancing Data Security - U.S. Senate Committee Hearing - Oct. 6, 2021 The ITRC will testify before the U.S. Senate Committee on Commerce, Science & Transportation today to present the findings from our Q3 Data Breach Analysis. MGM Resorts International, the casino and hotel giant, acknowledged on Wednesday that it was the victim of a data breach last year, the latest company to have the personal . Twitchs internal red teaming tools, used by internal security teams for cyberattack training exercises. The cybercriminals then sent a very convincing phishing email to this entire customer list claiming that a critical security incident occurred, requiring an urgent download of a patched version of the Trezor app. Streaming platform Plex suffered a data breach impacting most of its users, approximately 20 million. In October 2016, hackers collected 20 years of data on six databases that included names, email addresses and passwords for The AdultFriendFinder Network. UpGuard's researchers also discovered and disclosed a related breach by AggregateIQ, a Canadian company with close ties to Cambridge Analytica. Investigations are still underway, so the complete impact of this phishing attack isnt yet known.